SaladCesar Hi, thanks! I have already found someone who is also willing to try, but sadly I haven't been able to fully bypass it yet. Will do some further investigation and reach out to you, should I need someone else to test it.
Issue with SwissID
@1fexd Aren't they either using the hardware key attestation API or the Play Integrity API? Hardware key attestation API can be used to detect green verified boot state without a way to spoof it (it can be bypassed via an exploit for leaking keys but not spoofed).
So from my findings they do a simple root/bootloader unlocked check via the RootBeer library which is quite trivial to remove from the app with a patch built on the ReVanced framework. It appears, however, that they are indeed also using PlayIntegrity. I am currently checking if they associate the verdict with the app installation ID or something similar, because the behavior I have observed is that the app launches, appears to do a "classic" PlayIntegrity check, then shows a toast error message and shuts down the app. Maybe it is possible to just patch out the code that shuts down the app.
I think they decided to rewrite the app after getting so many 1 stars in G Play and people complaining about it. The latest version works just fine, even with memory tagging enabled and native debugging disabled).
iyanmv The latest version works just fine, even with memory tagging enabled and native debugging disabled).
I'm not a Swiss citizen so can't properly test this, but I confirm that I'm able to launch the app and proceed to the account registration page without issues. No exploit protection compatibility mode was needed.
If the app proceeds to work fine after that, this is really great news!
They broke the app again with the recent updates. Now the app starts and shows a screen that says: "Device appears to be rooted. For security reasons, you can not use the SwissID App on a rooted phone. We are happy to welcome you back one your phone has been restored to a non-rooted state."
I'm contacting support again with zero hope that they will understand or help anything. Not only that, now the app also uses native code debugging, and they introduced some memory bug that is detected by the memory tagging of the Pixel 8.
Hi all
just got an answer from Swiss ID Suppport that they change again:
Seit dem letzten Update haben wir ein anderes appdome als Root-SDK verwendet und sind dabei, es durch ein anderes zu ersetzen, das andere Identifikationsprinzipien hat.
Wir arbeiten daran, und Sie werden benachrichtigt, sobald das Problem behoben ist.
Als alternative Verifizierungsmethode können Sie stattdessen eine SMS anfordern, während Sie Ihr Passwort eingeben.
Vielen Dank im Voraus für Ihre Antwort und Ihr Verständnis.
Mit freundlichen Grüssen
fid02 From DeepL Translate:
Since the last update we have been using a different appdome as root SDK
and are in the process of replacing it with another one that has different
identification principles.We are working on this and you will be notified as soon as the issue is resolved.
As an alternative verification method, you can request an SMS while entering your password instead.
Thank you in advance for your response and understanding.
Yours sincerely
I have the same problem. The support confirms running a custom ROM breaks compatibility. Their advice is to factory reset the phone or use another phone.
The severity of the bug has increased because the SwissID is now mandatory for many governmental services such as the Electronic Patient File.
They are so incompetent because as a fallback you have to use SMS OTP which is not phishing resistant. You cannot switch off SMS OTP.
Is there any collaboration between Graphene and the developers of those root-detecting SDKs? To me it looks like this is a malfunction of an SDK since the phone is not rooted.
- Edited
Just came here to say that I have the same problem on a Pixel 6a with GrapheneOS BUT also on a Motorola which has stock Android, is not rooted or has any other modification. It's a completely new phone. So their root detection is clearing broken.